I am new to Splunk and I have play around the Splunk Enterprise for a few days. I managed to add data from my local network to monitor how Splunk works. However, when I tried to set up a forwarder sending data to my local index on the same machine it always end up having the forwarder blocked.
I understand that a single Splunk instance cannot be used as a forwarder and a indexer at the same time, but is there any other way that I could play around with a forwarder and indexer on the same machine?
Yes, you can do so. There must be something else wrong, like did you enable the receiving port on the indexer? Check out the docs on this topic http://docs.splunk.com/Documentation/Splunk/6.2.3/Forwarding/Enableareceiver it also includes some troubleshooting.
Yes you can. I have a Master Deployment Forwarder 2 indexers and a Search head instance. In total 6 instances rrunning on 1 server.
You can install several splunk instances in different directories on the same server.
For example /opt/splunk1/ as indexer1 and /opt/splunk2/ as indexer2
Use different port numbers for webinterface, replication etc etc
You can now start each splunk instance separately.
I have used this to test multi indexer cluster environment on one server.